General

  • Target

    vanity spoofer.exe

  • Size

    3.9MB

  • Sample

    230201-ywjb3sdf2z

  • MD5

    a05eb88a8582c2379f211a3f1f927921

  • SHA1

    0f75aba442b075198318e1cb0c0c9a1829bdf518

  • SHA256

    af947d6eb5857e58621007a6d838c85de6e90e090fc2c14a664ded97a4a3bca5

  • SHA512

    f8ff1bc58583d57910634b30287612682772dbe96c70a1b7ed5fc541b1f88eae9c3dcc1017d52100d25c81fff1d5af44fa6f65ac8fbc9953d72057f38c4fc018

  • SSDEEP

    98304:x0T+SrpWYVrsk9N8ivyhAdsPSQxhsnWJLXq0f4ogdCyb:MfzVN8iNISOlJzqwU

Malware Config

Targets

    • Target

      vanity spoofer.exe

    • Size

      3.9MB

    • MD5

      a05eb88a8582c2379f211a3f1f927921

    • SHA1

      0f75aba442b075198318e1cb0c0c9a1829bdf518

    • SHA256

      af947d6eb5857e58621007a6d838c85de6e90e090fc2c14a664ded97a4a3bca5

    • SHA512

      f8ff1bc58583d57910634b30287612682772dbe96c70a1b7ed5fc541b1f88eae9c3dcc1017d52100d25c81fff1d5af44fa6f65ac8fbc9953d72057f38c4fc018

    • SSDEEP

      98304:x0T+SrpWYVrsk9N8ivyhAdsPSQxhsnWJLXq0f4ogdCyb:MfzVN8iNISOlJzqwU

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks